Final HITECH Rules – Will they include the “Threshold of Harm”?

What do the interim final rules require today?

The Heath Information Technology for Economic and Clinical Heath (HITECH) Act was enacted as part of the American Recovery and Reinvestment Act of 2009 and was signed into law on February 17, 2009.  It substantially strengthened the privacy and security requirements for covered entities and their business associates with respect to electronic health records and transmission of health information.  There were specific provisions that strengthened civil and criminal enforcement of existing HIPAA legislation. One of the new provisions required as part of this change was an incident specific risk assessment if a covered entity or business associate discovered a breach of unsecured PHI to determine the risk of financial, reputational, or other harms that could occur to individuals if their personal heath information was misused.  This provision in the interim final rules is known as the “threshold of harm”.  The basic purpose is to require a breached organization to make a determination as to whether or not notification to affected individuals is appropriate.  The overall consensus of privacy experts is that the interim rule is causing confusion and not in line with congressional intent of the law.

What was the intent of congress?

William Pewen worked on the language for the implementation of the HITECH Act.  In his comments on a recent blog in Health Affairs, Mr. Pewen talks about the original intent congress had for updating the HIPAA provisions and the rational for the language that ended up in the interim final rules.  Unfortunately, the interim final rules don’t support congressional intent.  The rules contain several safe harbor provisions that negate the need to notify patients of a breach.  These provisions are outlined clearly in Mr. Pewen's blog for your reference.  They provide an entity that takes reasonable steps to secure patient information the ability to make the right decision to notify or not.  This seems to bode well for the final rules being changed, but changed to what?  There is also the requirement to provide a documented audit trail and HHS/OCR report which I don't believe will be removed from the final rule.  All of this seems to point to continuing responsibility and accountability on an entities part to manage data breach incidents and the resulting risk in a systematic fashion.

More enforcement as part of the final rules?

Kirk Nahra at Wiley Rein LLP published a comprehensive report on the Top 10 Privacy and Security Developments to Watch in 2011.  In his report, he highlights the current state of several laws, including HITECH.  He points to the potential for the Office of Civil Rights engaging in more enforcement directed at violations involving ongoing problematic behavior – organizations who breach data caused by the same problems (i.e. unencrypted laptops, employee snooping, lack of breach prevention measures etc.).  I agree that this will put more attention on those organizations, prompting them to take action.  Kirk Nahra points out that the enforcement “wild card” will be the state attorneys general and other enforcement agencies.  He thinks they will be more aggressive in punishing entities that continue to breach protected health information.  I also agree on this point. This has been a positive effect on state revenues according to privacy experts in states like California as they fine entities for non compliance with data breach notification laws.